top of page

Unfamiliar devices in MDE? Don’t panic!

Updated: Jun 4

Cyclotron frequently deploys Microsoft Defender for Endpoint as part of its enterprise Defender XDR deployments. This blog focuses on a specific, often-misunderstood feature of MDE that clients ask us about.


Yeuri Puello

Security Engineer


Customers are often surprised to see devices in their Microsoft Security portal that they haven’t onboarded to Microsoft Defender for Endpoint (MDE). These devices show as “Can be onboarded”, “Unsupported”, or 'Insufficient info”.

Example of devices identified as "Can be Onboarded" in the Microsoft Security Portal

These devices appear because of MDE’s Device Discovery, a default feature. Device Discovery actively scans the network environment to identify and list devices, even those not directly onboarded by the user. As a result, devices that have not completed the onboarding process may still appear in the Security Portal, reflecting their potential for onboarding, their unsupported status, or the insufficient information available about them.


Why Device Discovery?

The Device Discovery feature helps your organization create an inventory of all devices (workstations, servers, IOT’s, network devices), including basic inventory information that can be seen by another device on the same network. It also includes vulnerabilities and security recommendations for machine (like “update Edge”). This also maintains a limited inventory of apps found on the machines.


How does Device Discovery work?

Device Discovery uses onboarded Defender devices to probe the network and find machines in the environment that have not been onboarded. There are two different modes, explained below.


Option 1: Basic discovery mode

In this mode, endpoints passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic is initiated. Endpoints extract data from all network traffic seen by an onboarded device. With basic discovery, you only gain limited visibility of unmanaged endpoints in your network. Protocols used in Basic discovery mode can be found here.

Option 2: Standard discovery mode (Recommended)

In this mode, your devices actively search your network to gather more data and find additional devices, creating a comprehensive inventory of visible devices. In addition to Basic mode features, Standard mode uses special methods to scan for more devices, resulting in a small increase in network activity. In Standard discovery mode, exposed services are probed by using these protocols.


Frequently Asked Questions

Which onboarded devices can perform discovery?

This feature is currently only available in MDE-enrolled machines running Windows 10 (1809+), Windows 11 or Windows Server 2019+. Other platforms do not yet support this feature.

How frequent is this probing?

When devices exhibit changes in their characteristics, they undergo active probing to ensure that the information stored about them remains current. This happens no more than once every three weeks.

Can I control which devices perform Standard versus Basic discovery?

You can select some or all devices (Recommended) to use for one of the modes, assigning different modes to different sets of devices is currently not supported. Enable it on all compatible onboarded devices by default or choose specific devices by tagging them.

Microsoft Defender for Endpoint's Discovery Setup Options

What is a “transient” device?

The “Transient device” tag indicates a device that was detected for only a short time. We recommend investigating these devices carefully to understand their impact on your network if they appear suspicious or are disallowed. Unclassified devices are devices that do not otherwise have an out-of-the-box category defined.

Example of a "Transient Device" in the Microsoft Security Portal

Cyclotron helps ensure your org receives the maximum value from all your Defender features. Contact nathan.berger@cyclotron.com to engage with Cyclotron for help on Microsoft Defender implementations.

92 views

Comments


Commenting has been turned off.
bottom of page